<html>
<head>
<!-- Security Test moz4 -->
<link href="alert.css" rel="stylesheet" type="text/css" />
<title>Crunchy Security Test</title>
<script>
// Many of these security tests have been taken from http://ha.ckers.org/xss.html
function security_breach(){
	alert("This is security breach called from onload");
};

// Security Test #1
alert("this is security breach #1 from a <script>");
</script>
<!-- Security Test #12 -->
<!--[if gte IE 4]>
<SCRIPT>alert('security breach #12');</SCRIPT>
<![endif]-->

<!-- Security Test #13 -->
<STYLE type="text/css">BODY{-moz-binding:	url(" http://crunchy.voxelz.net/xssmoz.xml#xss")}</STYLE>

<!-- Security Test #14 with tab between url and (-->
<STYLE type="text/css">BODY{-moz-binding:url	(" http://crunchy.voxelz.net/xssmoz.xml#xss")}</STYLE>

<!-- Security Test #15 -->
<SCRIPT/SRC="functional_tests/alert.js"></SCRIPT>
</head>

<!-- Security Test #2 -->
<FRAMESET><FRAME SRC="http://crunchy.voxelz.net/xss.html"></FRAMESET>

<!-- Security Test #3 -->
<body onload="alert('security breach #3')">

<h1>The Crunchy Security tests</h1>
<p><b>More tests forthcoming ...</b></p>
<p>No javascript should survive on this page from the original document.  If some did, you should 
have seen some "alerts" appearing, or you should see an active link below that will 
trigger an alert.</p>

<!-- Security Test #4 -->
<script>document.write("security breach #4")</script>

<!-- Security Test #5 -->
<a href="javascript:security_breach5()">Security Test #5</a><br>

<!-- Security Test #6 -->
<a href="javas
cript:alert(&quot;security breach #6&quot;)">Security Test #6</a><br>

<!-- Security Test #7 -->
<a href=" javascript:alert(&quot;security breach #7&quot;)">Security Test #7</a><br>

<!-- Security Test #8 -->
<a href="JaVaScRiPt: alert(&quot;security breach #8&quot;);">Security Test #8</a><br>

<!-- Security Test #9 -->
<a href=JaVaScRiPt:alert('security_breach_#9')>Security Test #9</a><br>

<!-- Security Test #10 -->
<a href="jav	ascript:#*/;alert('security_breach_10')">Security Test #10</a><br>

<!-- Security Test #11 -->
<a href="&#106;Avascript:alert('security_breach_11')">Security Test #11</a><br>

<!-- Security Test #16 -->
<p style='-moz-binding:url("fake_alerts/alert13.xml#99")'>Security test 99</p>
<p style='-moz-binding:url("http://crunchy.voxelz.net/xssmoz.xml#xss")'>Security test 16</p>

<h2>Bugs</h2>
<ul>
  <li>There are no known security bugs in the security model used for Crunchy, using
  the 'strict' level.  The other two levels ('normal' and 'trusted') have potential security
  holes.  
  Crunchy's approach to security consists of two main parts:
<ul><li> a "script stripping" function (found in security.py), which removes any pre-existing javascript and other "unsafe" 
commands on the html page; 
</li>
<li> a "random session id" (found in CrunchyPlugin.py) that is appended to commands 
(like /exec and /doctest) that enable communication between the browser and Crunchy's server.  
This is done as a 2nd security layer in case we have overlooked some potentially 
unsecure javascript code.
<b><em>If</em></b> there remains some unsecure javascript, it is not clear how useful this second layer is: all it does is make
it more difficult to write javascript code that will send python code to the server
as it has to scan the page to identify the string to use.  However, it would prevent the
inclusion of Crunchy specific links to be included "by accident" on a page.</li>
</ul>
</li>
</ul>
<p><a href="index.html">Back to the test index</a></p>
</body>
</html>
